Please click on the double arrows to expand the list and check the name of author to view all their articles. 

Filter:

Filter by Authors

  • Expand/Collapse
To search by content, please type in any key words that you are searching for. The results will list any or all of the typed words.
David Bergquist

Keeping your Lync/Skype Business Environment safe from Ransomware

What is Ransomware?

HTML Editor - Full Version

What is ransomware? Ransomware is any type of malicious software that infects a computer system restricting access in some way, demanding that the user pay a “ransom” to remove the restriction. “Locky” is a type of Ransomware that is relatively new to the scene. “Locky”, as an example, encrypts the users’ files using AES encryption and then demands payment through some form of digital currency service to decrypt the user files. Ransomware targets large amounts of file extensions, and even more importantly can encrypt data on unmapped network shares. Ransomware can completely change the name of your files in addition to encrypting and moving them, making it very difficult to restore your data. As if this wasn’t enough, ransomware can also delete your Shadow Volume Copies -  disallowing them to be used to restore files that have been encrypted! Nasty stuff, to say the least. So how does it propagate? Ransomware is primarily distributed via emails including attachments; however, it can also be distributed via fake update popups such as Flash Flayer, Adobe Reader, or Java Runtime, when browsing web sites.

We are a Business, we are safe! A common misconception is that this type of malware targets single users. However, businesses are commonly targeted and just as susceptible to ransomware - if not more so. Businesses, or course, host high volumes of users which increases the chance that someone may open an e-mail containing one of these attack vectors. Furthermore, business host and house personal computers (PC’s) and servers. Some aspects of businesses cannot function properly without computers or the data they contain. This is where ransomware takes advantage making users and businesses alike pay a fee to return to normal operations. The thought is to make the fee an amount that is feasible where the business would end up losing more if they didn’t pay to have access to their data. If precautions haven’t been taken, it only requires a single user in the organization opening an email containing one of these ransomware “macros” in a Word document and your business may be in jeopardy.

Recognizing Ransomware: “Locky” ransomware is a new variant (first appearing in February of 2016) most commonly distributed via e-mail. It will often contain a subject line similar to “ATTN: J-98223146” and a message similar to “Please see the attached invoice” with a Word document attachment containing malicious macros. “Locky” will scan all local drives and unmapped network shares for files, encrypt them, and rename them making it very difficult to recover from. The following screen capture provides an example of such a message:

 

HTML Editor - Full Version

Other known types of Ransomware include CryptoLocker, CryptoWall, and TorrentLocker. These types of ransomware are commonly distributed via e-mail with attachments or links to web sites that end up infecting your computer, encrypting files, and suggesting the user pay a ransom to unencrypt those files. Some types of ransomware can prevent you from using your computer in normal fashion, stopping access to web browsers or even preventing you from using Windows.

How can I specifically protect my Lync / Skype for Business Environment? When your environment is infected with ransomware your network file shares can be held for ransom, preventing access to computers and even services and applications on such computers. Here are some things to think about to ensure your Lync / Skype for Business environments are secure from Ransomware:

1. Backups – If compromised by ransomware, access to PC’s and/or servers could be affected in addition to access to certain services and/or applications:

  • Either by means of existing back up technology, or by running back-up scripts on each of the Lync / Skype for Business servers, ensure you have weekly or even daily backups of your environment

  • You may be able to recover your compromised entity / data from a backup allowing you rid yourself of the issue

2. File Share Permissions – If compromised by ransomware, files and folders located on a share can be encrypted and / or inaccessible until you pay a ransom. Microsoft Lync 2013 and Skype for Business Server 2015 clients and servers both require the use of a “File Share” to obtain, store, and replicate data amongst other servers within the topology, in order to provide full functionality on a regular basis.

  • In regards to “Sharing”, ensure that “Everyone” does not have “Full Control” of the Lync / SFB file share:

    • Lync / Skype for Business can function without “Everyone” added once deployed.

    • “Everyone” can be added during the initial installation allowing successful deployment and publication of the topology

    • However, once the topology is published, this can be removed as Lync / Skype for Business will add its own required groups and permissions to the file share upon successful completion of the topology being published

    • Lync / Skype for Business will apply the following groups and permissions to the file share upon successful publication of the topology:

    • RTCHSUniversalServices – Allow Change / Read

    • RTCComponentUniversalServices - Allow Change / Read

    • RTCUniversalServerAdmins - Allow Change / Read

    • RTCUniversalConfigReplicator – Allow Change / Read

  •  

    •  

HTML Editor - Full Version
  • At a minimum, you could configure “Everyone” to have “Read Only” access; however, the groups outlined above are all that’s required to function properly once deployed

  • In regards to “security” on the Lync \ Skype for Business file share, “Everyone” should not have “Full Control”:

    • You can get away with “Read” permissions for ‘Everyone” at a minimum, however “System”, “Local admins”, and the “Lync / SFB admins” should have rights allowing the permissions to be create during topology publication as well as allowing these groups access to the required data on the share as needed

  • Allowing “Everyone” “Full Control” to the shares could be dangerous in ransomware situations as the infection can spread quickly to file shares whether they are drive mapped or not:

    • Not to mention, this allows anyone to be able to access the share once they have access to the environment

5. Updates - Ensuring your clients and servers are current with the latest updates can protect against old and new vulnerabilities such as ransomware:

  • Ensure that all critical security operating systems are up to date to minimize vulnerabilities

  • Ensure virus scanner, spyware, malware, and threat detection utilities running on clients and servers are up to date

  • Invoke daily updating, automatic scanning, and reporting, and of virus scanner, spyware, malware, and threat detection utilities:

    • Being aware of a possible threat may help deter it from spreading allowing you to isolate the problem to a single PC, Server, or location before it has a chance to spread through the entire organization

  • Updates, scans, and reporting of malicious code and software can be impended via group policies or through the product itself ensure all subscribers are up to date and safe

4. Office Products - Guard against opening emails (Outlook), Word documents (or any Office program) that contain macros. In Word / Excel/ Outlook, go to: File, Options, Trust Center, Trust Center Settings, Macro Settings and “Disable all Macros without notification”. You could also configure this via Group Policy or during the install of the product(s). Macros can be controlled as shown here:

HTML Editor - Full Version

5. Awareness - Make users aware. Some things you can do make users aware are as follows:

  • Send out companywide emails from IT warning of these types of threats so that the general populous is aware

  • Print out and distribute flyers and post them in popular areas such as near drinking fountains, restrooms, kitchens, and common areas

  • Distribute the warning during mandatory company meetings or team meetings so users know how to recognize and deal with these types of threats

Previous Article Exchange Hybrid Post Migration – Benefits of keeping the hybrid server
Next Article Common Myths About Working From Home Part 3
Print
19014 Rate this article:
3.0

Please login or register to post comments.